aboutsummaryrefslogtreecommitdiffstats
path: root/main/mutt/CVE-2014-9116.patch
blob: 86b1b5f7d51b0a3f69b7ebe7e4a1ca0948d336c1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# HG changeset patch
# User Kevin McCarthy <kevin@8t8.us>
# Date 1417472364 28800
#      Mon Dec 01 14:19:24 2014 -0800
# Branch stable
# Node ID 0aebf1df43598b442ac75ae4fe17875351854db0
# Parent  5a86319adad0d17e4acaf8a580bfc9eb247547d0
Revert write_one_header() to skip space and tab.  (closes #3716)

This patch fixes CVE-2014-9116 in the stable branch.  It reverts
write_one_header() to the pre [f251d523ca5a] code for skipping
whitespace.

Thanks to Antonio Radici and Tomas Hoger for their analysis and patches
to mutt, which this patch is based off of.

diff --git a/sendlib.c b/sendlib.c
--- a/sendlib.c
+++ b/sendlib.c
@@ -1809,17 +1809,24 @@
     {
       tagbuf = NULL;
       valbuf = mutt_substrdup (start, end);
     }
     else
     {
       tagbuf = mutt_substrdup (start, t);
       /* skip over the colon separating the header field name and value */
-      t = skip_email_wsp(t + 1);
+      ++t;
+
+      /* skip over any leading whitespace (WSP, as defined in RFC5322)
+       * NOTE: skip_email_wsp() does the wrong thing here.
+       *       See tickets 3609 and 3716. */
+      while (*t == ' ' || *t == '\t')
+        t++;
+
       valbuf = mutt_substrdup (t, end);
     }
     dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
 	      "max width = %d > %d\n",
 	      NONULL(pfx), valbuf, max, wraplen));
     if (fold_one_header (fp, tagbuf, valbuf, pfx, wraplen, flags) < 0)
       return -1;
     FREE (&tagbuf);